The first instruction frees the allocated stack space and the next ones are a common function epilogue procedure. In the first case, the execution will continue from this point: Otherwise, it will call the _stack_chk_fail() library routine through the PLT. If they are equal it will use the ‘je’ (Jump if Equal) instruction to continue with the execution at the 0x804842d address. Then compares it against ‘%gs:0x14’ which is the actual canary value.
It retrieves the canary value from the stack and stores it in EDX register. Obviously…Īfter the return of printf(3) library routine, SSP code performs the canary value check… This is the actual program that places the contents of the 0x8048500 to the stack and invokes printf(3) from the available PLT (the Procedure Linkage Table) entry. Then EAX is zeroed out since the canary value has no reason in being left there. It will then place it on the stack just after the stored, previously constructed stack frame. It will obtain the canary’s value from ‘%gs:0x14’ and store it in EAX register. This is the actual stack canary code in the binary.
Next, the current value of ECX (containing the original stack pointer’s value) is also pushed on the stack and stack pointer is decremented by 0x14 in order to make sufficient space for the function. The current base pointer (indicating a new stack frame) is pushed onto the stack and value of the stack pointer is placed in the base pointer. Then, the well known function prologue takes place. The address of the stack pointer at an offset of 0x4 is loaded to ECX, then stack pointer is aligned and the original stack pointer (ECX-4) is pushed into the stack. Since this post is mostly written for people that are just getting started with system’s internals, I’ll explain everything. Xorl:~$ gcc -fstack-protector-all ahoy.c -o ahoy -ggdb2
We’ll compile it using the -fstack-protector-all to force GCC into using the Stack Smashing Protection features it has. Just the GLIBC’s stack canary value’s functionality. WARNING: There is no exploitation information in this post. So, here is my writing on how GNU C Library stack canary values work. After performing a quick online research I wasn’t able to find anything useful to give him. I was recently been asked by a friend how the Linux’s stack canary values work.
0 kommentar(er)
